Idra-Informatica/PecHub
1
0
Fork 0
mirror of https://github.com/idrainformatica/PecFlow.git synced 2026-06-16 12:45:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

Browse Source 
- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx
- backend FastAPI: struttura monorepo, config pydantic-settings
- modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log)
- migrazione Alembic 0001: schema completo in pure SQL
- auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable)
- CRUD utenti: lista, crea, modifica, reset password, soft delete
- permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista
- CRUD tenant: gestione super-admin
- sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password
- RLS PostgreSQL: isolamento multi-tenant per request
- seed sviluppo: tenant demo + admin + operator
- test unit: security (bcrypt, JWT, AES), auth_service
- test integration: auth endpoints, users endpoints
- CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan
- infra: nginx.conf, redis.conf
- Makefile con comandi make dev/test/migrate/seed

Definition of Done:
 Login, refresh token e TOTP funzionanti
 make dev porta in piedi tutto lo stack locale
 CI configurata
This commit is contained in:
Matteo Giustini
2026-03-18 16:42:01 +01:00
parent 0251c2bbb0
commit 58a233236c
60 changed files with 6942 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra/nginx/conf.d/pecflow.conf
+72
View File
@@ -0,0 +1,72 @@
server {
listen 80;
server_name localhost;
# Redirect HTTP → HTTPS in produzione (commentato per dev)
# return 301 https://$host$request_uri;
# ── API Backend ───────────────────────────────────────────────────────────
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
# Timeout generosi per operazioni lunghe (es. generazione QR)
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Upload allegati fino a 50MB
client_max_body_size 50m;
}
# ── Auth endpoint con rate limiting più stretto ────────────────────────────
location /api/v1/auth/login {
limit_req zone=auth burst=5 nodelay;
proxy_pass http://backend:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ── Health check ──────────────────────────────────────────────────────────
location /health {
proxy_pass http://backend:8000;
access_log off;
}
# ── Swagger UI (solo dev) ─────────────────────────────────────────────────
location /docs {
proxy_pass http://backend:8000;
}
location /redoc {
proxy_pass http://backend:8000;
}
location /openapi.json {
proxy_pass http://backend:8000;
}
# ── WebSocket ─────────────────────────────────────────────────────────────
location /ws/ {
proxy_pass http://backend:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600s;
}
# ── Frontend (sarà aggiunto in Fase 5) ────────────────────────────────────
# location / {
# proxy_pass http://frontend:3000;
# }
}
infra/nginx/nginx.conf
+45
View File
@@ -0,0 +1,45 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# Performance
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_types text/plain text/css application/json application/javascript
text/xml application/xml application/xml+rss text/javascript;
# Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# Hide nginx version
server_tokens off;
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
include /etc/nginx/conf.d/*.conf;
}
infra/redis/redis.conf
+36
View File
@@ -0,0 +1,36 @@
# Redis configuration per PecFlow
# ── Bind e rete ───────────────────────────────────────────────────────────────
bind 0.0.0.0
protected-mode no
port 6379
# ── Memoria ───────────────────────────────────────────────────────────────────
# In produzione aumentare in base ai volumi della coda
maxmemory 256mb
maxmemory-policy allkeys-lru
# ── Persistenza ───────────────────────────────────────────────────────────────
# Salva snapshot periodici
# Formato: save <secondi> <numero_modifiche>
save 900 1
save 300 10
save 60 10000
# Append-only file per durabilità più alta
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
# ── Log ───────────────────────────────────────────────────────────────────────
loglevel notice
logfile ""
# ── Performance ───────────────────────────────────────────────────────────────
hz 10
dynamic-hz yes
latency-monitor-threshold 100
# ── Sicurezza ─────────────────────────────────────────────────────────────────
# In produzione aggiungere:
# requirepass change_me_in_production